- From: Brian Smith <brian@briansmith.org>
- Date: Tue, 25 Aug 2015 00:38:26 -0700
- To: Tanvi Vyas <tvyas@mozilla.com>
- Cc: Richard Barnes <rbarnes@mozilla.com>, WebAppSec WG <public-webappsec@w3.org>
Received on Tuesday, 25 August 2015 07:38:54 UTC
Tanvi Vyas <tvyas@mozilla.com> wrote: > On Aug 24, 2015, at 11:24 PM, Brian Smith <brian@briansmith.org> wrote: > > Neither "priming" nor u-i-r are secure against an active MitM so websites > cannot rely on them for security. Websites need to use https:// > subresource links to actually be secure. > > > How so? Neither priming or u-r-i has to make an HTTP request. The browser > makes an HTTP request only when priming fails. > The MitM can block the priming request/response. Cheers, Brian -- https://briansmith.org/
Received on Tuesday, 25 August 2015 07:38:54 UTC